fix(octo-sts): grant pull_requests:write so GitLab CI can post PR comments

.github/PULL_REQUEST_TEMPLATE.md

@@ -17,7 +17,9 @@ unless the change does not modify code (e.g. only modifies docs, comments).
 
 **For Datadog employees**:
 - [ ] If this PR touches code that signs or publishes builds or packages, or handles
-  credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`.
+  credentials of any kind, I've requested a security review (run the `dd:platform-security-review`
+  skill, or file a request via the [PSEC review form](https://datadoghq.atlassian.net/jira/software/c/projects/PSEC/forms/form/direct/7861446195161534/37715)).
+  `bewaire` also runs automatically on every PR.
 - [ ] This PR doesn't touch any of that.
 - [ ] JIRA: [JIRA-XXXX]
 

.github/chainguard/async-profiler-build.ci.sts.yaml

@@ -6,4 +6,7 @@ subject_pattern: "project_path:DataDog/java-profiler:ref_type:branch:ref:.*"
 permissions:
   contents: write
   issues: write
-  pull_requests: read
+  # write (not read) is required to post comments on pull requests via the
+  # issues/comments endpoint — GitLab CI back-reports benchmark & reliability
+  # results to the PR (see .gitlab/scripts/upsert-github-pr-comment.sh).
+  pull_requests: write